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The  comprehensive  discipline  of  conformity  assess¬ 
ment  involves  conformance  testing  activities  and  the 
certification  of  information  systems  to  ensure  that 
adopted  standards  are  met.  This  article  provides  an 
overview  of  conformity  assessment,  and  details  the 
steps  the  DoD  Biometrics  Management  Office 
(BMO)  and  its  subordinate  technology  center,  the 
DoD  Biometrics  Fusion  Center  (BFC),  have  under¬ 
way  to  establish  such  a  conformity  assessment  pro¬ 
gram  for  the  implementation  of  interoperable 
biometric  technologies.  With  such  a  program  imple¬ 
mented,  DoD  components  will  adhere  to  DoD  poli¬ 
cies  that  emphasize  the  need  for  conformity 
assessment  activities  to  ensure  the  interoperability  of 
forces,  equipment,  and  processes. 

Interoperability  and  Conformance  Testing 

Achieving  greater  interoperability  among  forces, 
services,  and  components — human  and  technical — is 
a  DoD  priority.  Advances  in  biometric  technologies, 
combined  with  the  growing  needs  for  physical  and 
information  security  and  support  for  U.S.  efforts  in 
the  global  war  on  terrorism,  have  furthered  the  im¬ 
portance  of  the  effort.  The  interoperability  of  prod¬ 
ucts  and  systems  relies  heavily  on  the  application  of 


developed  standards  in  the  design  and  manufacture  of 
system  components,  as  well  as  in  the  testing  and  vali¬ 
dation  of  these  components,  to  provide  evidence  of 
interoperability  before  acquisition  and  deployment. 

Conformance  testing  stems  from  the  global  stan¬ 
dardization  effort.  The  American  National  Standards 
Institute  (ANSI)  and  its  international  counterparts, 
the  International  Organization  for  Standardization 
(ISO)  and  International  Electrotechnical  Commis¬ 
sion,  continue  to  develop  numerous  standards  for  a 
wide  range  of  activities  in  a  variety  of  industries  and 
disciplines.  By  having  products,  programs,  and 
processes  meet  these  standards,  DoD  will  achieve 
greater  reliability,  quality,  and  interoperability. 

Benefits  of  Conformity  Assessment 
for  DoD  Biometrics 

A  comprehensive  conformity  assessment  program 
helps  ensure  that  DoD  s  biometric  products  are  inter¬ 
operable.  A  conformity  assessment  program  can  do 
the  following: 

I  Verify  that  biometric  products  have  been 
developed  or  modified  to  meet  the  appropri- 


DoD  Policy  Documents  Affecting  Conformity  Assessment 

Several  DoD-wide  policy  documents  include  provisions  that  affect  or  imply  that  conformity  assessment 
programs  are  required  to  adequately  meet  DoD  testing  requirements: 

I  DoD  Directive  4630.5,  Interoperability  and  Supportability  of  Information  Technology  (IT)  and  National 
Security  Systems  (NSS),  January  2002. 

I  DoD  Instruction  4630.8,  Procedures  for  Interoperability  and  Supportability  of  Information  Technology 
(IT)  and  National  Security  Systems  (NSS),  June  2004. 

I  Chairman  of  the  Joint  Chiefs  of  Staff  Instruction  621 2.01  C,  Interoperability  and  Supportability  of 
Information  Technology  and  National  Security  Systems,  November  2003. 

I  National  Security  Telecommunications  and  Information  Systems  Security  Policy  1 1 ,  National  Informa¬ 
tion  Assurance  Acquisition  Policy,  revised  July  2003. 
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ate  ANSI  or  ISO  standards  mandated  within 
DoD 

I  Determine  whether  considered  biometric 
products  have  been  sufficiently  tested  to  meet 
the  adopted  standards 

I  Confirm  that  testing  activities  and  test  results 
are  complete,  reproducible,  and  verifiable 

I  Determine  that  the  performance  of  testing 
facilities  and  instruments  meets  accepted 
industry  standards 

I  Provide  accreditation  to  testing  laboratories 
that  are  performing  properly  to  accepted,  rec¬ 
ognized  national  and/or  international  stan¬ 
dards 

I  Determine  the  qualification  of  personnel  who 
perform  conformance  testing 

I  Disseminate  lists  of  properly  tested  and  certi¬ 
fied  vendor  products  for  DoD  community 
consideration. 

Steps  Underway  to  Establish  a  Conformity 
Assessment  Program 

CONFORMANCE  TESTING 

Conformance  testing  ensures  that  standards  adopted 
by  a  program  are  met.  To  enhance  their  credibility, 
product  conformance  testing  procedures  should  fol¬ 
low  well-designed  testing  methods  that  detail  accu¬ 
racy  and  variability  requirements.  Test  methods  alone 
are  not  sufficient  tools  for  testing.  Instead,  test  meth¬ 
ods  should  be  executed  in  the  form  of  conformance 
test  suites  (CTSs),  which  are  automated  tools  used  to 
determine  products’  conformance  to  standards. 

Three  general  approaches  are  used  for  conformance 
testing: 

I  First-party  testing,  which  is  performed  by  ven¬ 
dors  on  their  own  products.  The  primary  risk 
associated  with  first-party  testing  is  that  con¬ 
sumers  have  less  confidence  in  testing  results 
because  consumers  do  not  control  the  testing 


process.  The  concern  is  that  a  potentially 
biased  tester  may  influence  the  testing  results. 

I  Second-party  testing,  which  is  performed  by 
the  consumer  organization.  The  primary  risks 
associated  with  second-party  testing  are  that  it 
may  add  cost  and  responsibility  to  the  con¬ 
sumer  organization.  However,  because  the 
consumer  has  control  over  the  product  sample, 
testing  environment,  testing  staff,  and  testing 
processes,  the  consumer  has  greater  confidence 
that  tested  products  will  conform  to  approved 
standards.  This  allows  the  testing  results  to  be 
more  readily  accepted. 

I  Third-party  testing,  which  is  conducted  by  a 
trusted  testing  laboratory  independent  of  both 
producer  and  consumer  groups.  DoD  views 
third-party  testing  as  the  least  feasible  option 
due  to  its  primary  risks — the  time  and  higher 
costs  it  often  requires.  For  example,  if  the  test¬ 
ing  of  a  specific  version  of  product  takes  a  sig¬ 
nificant  amount  of  time,  it  is  likely  a  newer 
version  of  the  same  product  will  be  available 
before  the  older  version  is  fully  tested. This  will 
place  DoD  (the  consumer)  in  the  position  of 
having  to  choose  either  an  approved  older  ver¬ 
sion  of  a  product  or  a  newer,  but  untested  ver¬ 
sion  of  the  product.  The  higher  costs  associat¬ 
ed  with  third-party  testing  are  typical  in  con¬ 
tracting  agreements  with  third  parties. 

LABORATORY  ACCREDITATION 

Laboratory  accreditation  is  granted  by  an  authorita¬ 
tive  body,  which  certifies  that  a  laboratory  is  compe¬ 
tent  to  perform  testing.  For  example,  if  the  National 
Institute  of  Standards  and  Technology  (NIST)  accred¬ 
its  a  laboratory,  the  laboratory  is  recognized  as  being 
capable  of  certifying  products  through  testing  or 
other  procedures.  Laboratory  accreditation  is,  of 
course,  not  a  guarantee  that  the  facility  will  compe¬ 
tently  test  products  at  all  times.  It  is  for  this  reason 
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that  independent  verification  and  certification  of  test 
results  are  also  recommended. 

PRODUCT  CERTIFICATION 

Certification  provides  another  level  of  assurance 
through  independent  verification  and  validation  that 
a  product  conforms  to  a  standard  or  specification  or 
that  an  organization  is  competent  to  perform  a  cer¬ 
tain  task.  As  with  conformance  testing,  there  are  three 
types  of  certification: 

I  First-party  certification,  which  is  implemented 
by  a  vendor  to  guarantee  that  its  products  meet 
one  or  more  standards.  Use  and  acceptance  of 
a  first-party  certification  system  require  a  con¬ 
sumer  to  depend  on  a  vendors  claims  of  con¬ 
formity.  The  obvious  risk  is  that  a  vendor  may 
only  partially  conform  to  a  standard  while 
claiming  to  conform  to  that  standard  com¬ 
pletely. 

I  Second-party  certification,  which  is  the  use  of 
the  consumers  own  certification  authority  to 
ensure  that  a  desired  product  conforms  to  one 
or  more  standards.  Test  results  may  come  from 
first-party,  second-party,  or  third-party  testing 
laboratories  (as  explained  above),  but  the  vali¬ 
dation,  verification,  and  certification  activities 
are  performed  by  the  consumer’s  organization 
or  certification  authority. 


I  Third-party  certification,  which  is  the  use  of  a 
technically  and  otherwise  competent  certifica¬ 
tion  body — not  controlled  or  influenced  by 
the  consumer  or  the  vendor — to  validate  a 
products  conformity  to  one  or  more  stan¬ 
dards.  As  an  example,  NIST  has  accredited 
eight  common  criteria  testing  laboratories  to 
perform  test  methods  following  Federal 
Information  Processing  Standards  (FIPS)  140-1 
and  140-2,  Security  Requirements  for  Cryptogra¬ 
phic  Modules.  (For  more  information,  see  http:// 
niap.nist.gov/ cc-scheme/ testing_labs.html  and 
http://csrc.nist.gov/cryptval/.)  These  accredited 
laboratories  act  as  third  parties  and  validate  that 
security  products  conform  to  FIPS  140-1  and 
140-2.  Credibility  given  to  a  certification  from 
a  third  party  generally  depends  on  three  fac¬ 
tors:  (1)  the  number  and  types  of  testing  and 
inspection  methods  used  to  ensure  product 
conformance,  (2)  the  vendors  quality  control 
system,  and  (3)  the  competence  of  the 
laboratory. 

Approach  to  Implementing  Conformity 
Assessment  within  DoD  Biometrics 

As  illustrated  in  Figure  1,  the  BMO  and  BFC  are  key 
components  of  the  proposed  approach  for  imple¬ 
menting  a  conformity  assessment  program.  Under 
this  approach,  the  BFC  is  the  testing  laboratory  that 


Biometrics  Management  Office 

The  DoD  BMO  is  responsible  for  leading,  consolidating,  and  coordinating  the  development,  adoption,  and  use  of  bio¬ 
metric  technologies  for  the  combatant  commands,  services,  and  agencies,  to  support  the  warfighter  and  enhance 
joint  service  interoperability.  The  BMO  reports  to  the  Army  Chief  Information  Office,  which  acts  on  behalf  of  the  DoD 
Executive  Agent  for  Biometrics,  the  Secretary  of  the  Army.  The  recently  formed  Identify  Protection  and  Management 
Senior  Coordinating  Group  provides  senior-level,  DoD-wide  strategic  guidance  to  the  BMO,  given  its  mission  to  over¬ 
see  efforts  in  the  areas  of  biometrics,  public  key  infrastructure,  and  smart  cards. 
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FIGURE  1.  Proposed  Conformity  Assessment  Approach. 


determines  the  conformance  of  biometric  technolo¬ 
gies  to  relevant  national  and  international  biometric 
standards.  To  realize  this  approach,  the  BFC  is  work¬ 
ing  to  establish  itself  as  an  accredited  DoD  biometric 
conformance  testing  laboratory.  Once  certified  by  an 
accreditation  authority  (e.g.,  NIST),  the  BFC  will 
provide  testing  to  determine  whether  vendors’  prod¬ 
ucts  actually  conform  to  biometric  standards. 

A  certification  authority  will  provide  the  necessary 
validation  of  the  BFC’s  test  results  and  the  certifica¬ 
tion  of  products  or  technologies.  The  certification  au¬ 
thority  may  also  provide  system  testing  when 
necessary  to  prove  the  interoperability  of  multiple 
technologies  that  have  been  combined  into  one  sys¬ 
tem.  Test  reports  and  a  list  of  certified  biometric 


products  will  be  made  available  to  DoD  through  an 
appropriate  interface. 

The  proposed  conformity  assessment  approach  also 
includes  a  certification  control  board — with  repre¬ 
sentatives  of  the  certification,  testing,  client,  and  ven¬ 
dor  communities — that  would  provide  a  necessary 
interface  between  conformity  assessment  program 
components. 

Under  this  proposed  approach,  the  BMO  (along 
with  NIST  and  other  government  organizations)  will 
continue  to  provide  input  to  the  development  of 
product  and  testing  standards  for  biometric  technolo¬ 
gies.  These  standards  will  be  available  to  vendors  and 
testing  laboratories  alike.  Vendors  of  biometric  tech- 
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nologies  will  be  able  to  design,  build,  and  self-test 
their  products  with  respect  to  these  standards. 

Efforts  in  Motion 

DEVELOP  BIOMETRIC  STANDARDS 

Nearly  every  aspect  of  biometric  technology  must  be 
standardized  to  ensure  the  interoperability  and  inter¬ 
changeability  of  data,  systems,  and  components.  The 
BMO  and  BFC  have  begun  work  in  this  effort  with 
acceptance  of  the  Biometric  Application  Program¬ 
ming  Interface  (BioAPI)  standard.  Other  standards, 
such  as  data  interchange  format  standards  for  biomet¬ 
rics  and  DoD  application  profile  standard,  are  being 
developed.  These  efforts  are  essential  to  the  integra¬ 
tion  of  biometric  technologies  for  DoD.  They  are  the 
building  blocks  of  a  solid  conformity  assessment  pro¬ 
gram. 

DEVELOP  CONFORMANCE  TEST  STANDARDS 

To  ensure  interoperability,  and  conformance  of  bio¬ 
metric  products  to  national  and  international  stan¬ 
dards,  standardized  conformance  testing  methods 
must  be  developed  and  recognized.  The  BMO  and 
BFC  are  currently  working  on  several  conformance 
testing  methods  in  collaboration  with  national  and 
international  standards  bodies.  We  are  in  the  begin¬ 
ning  stages  of  development,  recognition,  and  subse¬ 
quent  implementation  of  the  necessary  standards  for 
conformance  testing  of  each  related  biometric  tech¬ 
nology. 

DEVELOP  CONFORMANCE  TEST  TOOLS 

Conformance  testing  methods,  in  and  of  themselves, 
are  not  sufficient  tools  for  testing.  If  testing  organiza¬ 
tions,  such  as  BFC,  are  to  perform  the  validation  and 
verification  of  the  biometric  products,  an  executable 
CTS  must  be  implemented.  The  BMO  and  BFC  are 
working  to  identify  existing  tools.  In  addition,  the 
BMO  and  BFC  are  developing  tools  that  will  imple¬ 
ment  the  standardized  conformance  testing  methods. 
For  example,  the  BMO  and  BFC  are  developing  a 


BioAPI  CTS  following  the  methods  outlined  in  draft 
national  and  international  BioAPI  conformance  test¬ 
ing  standards.  The  goal  of  the  BMO  and  BFC  is  to 
make  conformance  test  tools — like  the  BioAPI  CTS — 
publicly  available.  Vendors  will  then  be  able  to  deter¬ 
mine  if  their  products  meet  the  selected  standards. 

Efforts  for  the  Near  Future 

APPLY  STANDARDS  TO  CONFORMANCE  TESTING 

With  conformance  testing  methods  and  test  suites 
appropriate  to  the  specific  technology  involved,  the 
BFC  can  incorporate  full  accountability  and  visibility 
into  its  objective  and  subjective  testing  methods,  pro¬ 
viding  a  higher  degree  of  incontrovertible  test  results. 
It  is  well  known  that  the  cost  of  correcting  mistakes 
increases  as  products  move  beyond  research  and  de¬ 
velopment  and  into  implementation  phases.  The 
greater  use  of  recognized  industry  standards  also  al¬ 
lows  DoD  conformance  testing  to  push  the  costs  of 
faulty  or  non-interoperable  biometric  system  compo¬ 
nents  toward  a  preemptive,  early  error  detection  and 
correction  phase.  Vendors  can  concentrate  more  effi¬ 
ciently  on  development  to  meet  the  standards 
adopted  by  DoD.  Testing  and  certification  processes 
will  move  with  greater  ease  and  expediency. 

ACCREDIT  TESTING  LABORATORIES 

Testing  laboratory  accreditation,  by  a  respected  inde¬ 
pendent  accreditation  body,  will  provide  the  stamp  of 
conformance  to  widely  recognized  laboratory  stan¬ 
dards  to  which  the  BFC  should  understandably  be 
held  accountable.  This  accreditation  will  give  the 
BFC  greater  credibility  with  vendors  and  other  test¬ 
ing  laboratories.  Accreditation  is  a  necessary  step  to¬ 
ward  obtaining  the  benefits  that  mutual  recognition 
agreements  provide. 

Longer-Term  Efforts 

CREATE  OR  IDENTIFY  A  CERTIFICATION  AUTHORITY 

Having  an  independent  certification  authority  verify 
and  validate  test  results  will  provide  added  confidence 
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Biometrics  Fusion  Center 

The  DoD  BFC  is  establishing  itself  as  the  biometric  technology  center  of  excellence  for  the  DoD.  The  BFC  tests  and 
evaluates  biometric  products,  supports  the  development  of  standards  and  performance  measures,  provides  biometric 
repository  support,  and  provides  technical  implementation  and  integration  support  to  DoD  organizations. 

The  BFC  recently  moved  into  a  new  facility  in  Clarksburg,  WV,  that  significantly  expands  its  capabilities.  The  BFC  has 
a  state-of-the-art  demonstration  center  that  highlights  current  and  future  biometric  applications  of  interest  to  DoD. 
For  more  information,  visit  www.biometrics.dod.mil. 


in  the  products  and  systems  tested.  The  certification 
authority’s  attached  certification  control  board  will  be 
able  to  resolve  technical  questions  or  disputes  that 
may  be  related  to  the  testing  process.  The  certification 
authority  is  able  to  provide  certificates  of  validation, 
conformance,  and  interoperability  to  products,  sys¬ 
tems,  vendor  quality  systems,  and  personnel. 

ESTABLISH  MUTUAL  RECOGNITION  AGREEMENTS 

Mutual  recognition  agreements  (MRAs)  allow  ac¬ 
credited  testing  laboratories  and  product  acceptance 
systems  to  recognize  the  testing  results  of  other  labo¬ 
ratories  as  being  in  conformance  with  applicable,  rec¬ 
ognized  standards.  This  reduces  the  costs  of  testing 
and  approval  processes  by  eliminating  redundant  test¬ 
ing — testing  that  has  already  been  completed  by  a 
competent  laboratory  whose  findings  DoD  will  rec¬ 
ognize  as  valid.  Establishing  MRAs  to  recognize  the 
certified  results  of  other  certification  authorities  out¬ 
side  of  the  direct  DoD  system  is  also  possible. 

Conclusion 

With  the  open  promotion  and  integration  of  recog¬ 
nized  product  and  test  standards,  the  accreditation  of 
testing  laboratories,  and  the  implementation  of  ac¬ 
cepted  test  validation  and  product  certification  by  an 
independent  agency,  DoD  will  have  greater  confi¬ 
dence  in  the  interoperability  of  biometric  systems. 


Expediency  and  best  efforts  are  required  to  protect 
facilities,  people,  and  information  and  to  address  the 
relatively  new  challenges  for  identification  and  track¬ 
ing  in  the  global  war  on  terrorism.  A  conformity  as¬ 
sessment  program  established  within  DoD  will  help 
increase  efficiency  and  accuracy  of  validation  and  ver¬ 
ification  of  interoperability  for  biometric  technolo¬ 
gies,  devices,  and  data.  Tested  and  validated 
interoperability  will  provide  logical  security  for  DoD 
information  systems;  physical  security  on  bases,  mo¬ 
bile  platforms,  and  other  installations;  and  tracking  of 
friendly  personnel,  as  well  as  enemy  combatants, 
common  criminals,  and  potential  terrorists — for  now 
and  in  the  future. 
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